Overview

Web browsers including Safari on Apple iOS or Apple Mac, Internet Explorer, Edge, Firefox and Chrome may encounter errors using the Remote Control Panel feature unless trusted certificates are installed on the client. Remote Control Panel (RCP) uses web socket technologies to provide an interactive remote window for controlling the device control panel.   Modern security conscious browsers will block some or all web socket communications over IPv6 unless a trusted HTTPS certificate is installed on the client. This blocking may take place over IPv4 or IPv6 depending on operating system and web browser. This blocking has been observed on iOS over IPv4 and IPv6 networks. Important:  You must be a System Administrator to perform this procedure as it may require administrator privileges and/or knowledge of your network settings.  These directions are meant to be used as guidelines for qualified personnel. Generating a device certificate can be accomplished in different ways, but most workflows will require a Certificate Signing Request (CSR) that is generated on the device. Note :  At the time of writing, the CSR files generated by Xerox VersaLink devices do not include the SubjectAltName values for the fully qualified domain name and IP Address You must consult with your Certificate Authority to ensure that the SubjectAltName key value pairs are correct for your device implementation.  Use the device to generate a CSR After generating a device certificate, there are several ways to generate a certificate for installation on the device See below for details. Several companies provide external Certificate Authority services including VeriSign, Comodo and Thawte. Contact the specific company you will use to determine the exact steps required to submit your CSR and obtain both the device certificate and chain of trust.  Hosting your own internal Certificate Authority is a complex technical task that should not be attempted by personnel not familiar with PKI administration. Important: These directions are meant to be used as guidelines for qualified personnel. Ensure that your openssl.cnf file includes directives for Subject Alternative Name information that includes the hostname, domain and IP Address of the device. BUILD ROOT CA openssl genrsa -aes256 -out private/ca.key.pem 4096 openssl req -config openssl.cnf -key private\ca.key.pem -new -x509 -days 7300 -sha256 -extensions v3_ca -out certs/ca.cert.pem BUILD INTERMEDIATE CA openssl genrsa -aes256 -out intermediate/private/intermediate.key.pem 4096 openssl req -config intermediate/openssl.cnf -new -sha256 -key intermediate/private/intermediate.key.pem -out intermediate/csr/intermediate.csr.pem openssl ca -config openssl.cnf -extensions v3_intermediate_ca -days 3650 -notext -md sha256 -in intermediate/csr/intermediate.csr.pem -out intermediate/certs/intermediate.cert.pem CREATE CERT CHAIN FILE copy certs\ca.cert.pem+intermediate\certs\intermediate.cert.pem intermediate\certs\ca-chain.pem CREATE DEVICE KEY, CSR AND CERT openssl genrsa -aes256 -out intermediate/private/device.key.pem 2048 openssl req -config intermediate/openssl.cnf -key intermediate/private/device.key.pem -new -sha256 -out intermediate/csr/device.csr.pem openssl ca -config intermediate/openssl.cnf -extensions server_cert -days 375 -notext -md sha256 -in intermediate/csr/device.csr.pem -out intermediate/certs/device.cert.pem CREATE P7B DER ENCODED FILE openssl x509 -outform der -in device.cert.pem -out device.cert.der openssl x509 -outform der -in intermediate.cert.pem -out intermediate.cert.der CREATE PKCS12 PACKAGE WITH KEY, CERT openssl pkcs12 -export -inkey intermediate/private/device.key.pem -in intermediate/certs/device.cert.pem -out device.bundle.pfx  For a device certificate to be used to allow RCP use on modern browsers it must meet the following criteria: You may install the device certificates using the Embedded Web Server Other methods to install the certificates are possible, but not documented here. The certificate authority will have created and shared with you a chain of trust as part of the certificate creation process This is a package of one or more certificates that the device certificate trusts These certificates must be installed on the client that is expected to use RCP. For Microsoft Windows: For Apple iOS : For Apple Mac OSX : For Firefox: Firefox Browser manages certificates independently of the operating system.    A certificate from a trusted certificate authority should be produced and installed. The installation of the certificate on the client must be in a location and configuration that allows the client to trust the certificate. This certificate cannot be self signed - it must be signed by an intermediate or root authority. This certificate must include the hostname and domain or IP address of the device in the Subject Alternative (SAN) Name Extended Key Usage (EKU) field.   Log in to the Embedded Web Server (EWS) as the administrator of the device. Click on Connectivity > Ethernet > Common and DNS and set the hostname and domain of the device to the required values. Under System , click on  Security > Security Certificates > Create > Create Certificate Signing Request and populate the CSR details Note : For questions regarding what values to place in the CSR, consult with your Certificate Authority . Download the certificate (CSR) to your workstation.  Obtain a certificate from an external Certificate Authority Generate a certificate using an internal Certificate Authority created with OpenSSL Generate a certificate using an existing Microsoft Public Key Infrastructure Certificate Authority that exposes the CertSrv web interface Navigate to your CertServ website and login. Select Request a Certificate . Select submit an advanced certificate request . Open the default.pem file that contains the Certificate Signing Request you generated on the print device in Notepad and copy the contents of the file. Paste the contents of default.pem in the Base-64-encoded certificate request field. Select the Web Server certificate template from the drop-down menu. Enter any additional attributes If necessary, check with your Microsoft PKI Administrator if you are uncertain about additional attributes or certificate template selection. Click on  Submit . Download the certificate in DER encoded format. Download the certificate chain. It must be signed by an intermediate or root certificate authority - it cannot be self signed On Microsoft Windows you can double-click on a certificate file and examine the 'Certification Path'. If the only certificate displayed in the 'Certification Path' dialog is the certificate being examined, it will not be suitable for RCP. If the certificate chain is displayed, then the certificate may be used for RCP provided it meets the rest of the criteria. If the certificate is the only certificate in the Certification Path field, but the Certification Status field says that the issuer could not be found, this certificate may be used provided that the intermediate and root certificates are subsequently installed on the client. If the only certificate displayed in the 'Certification Path' dialog is the certificate being examined, it will not be suitable for RCP. If the certificate chain is displayed, then the certificate may be used for RCP provided it meets the rest of the criteria. If the certificate is the only certificate in the Certification Path field, but the Certification Status field says that the issuer could not be found, this certificate may be used provided that the intermediate and root certificates are subsequently installed on the client. It must contain the hostname and domain of the device and/or the device IP address in the Subject Alternative Name field On Microsoft Windows you can double click on a certificate file and examine the 'Details', 'Subject Alternative Name' field values These values should include a 'DNS Name=' key value pair that matches the domain and hostname of the device These values may also include an 'IP Address=' key value pair that matches the IP address of the device.  Log in to the device as an administrator.  Under Systems , click on  Security > Security Certificates > Import .  Your certificate must be in a DER encoded P7B package format.  Open a CMD prompt and type:  mmc.exe , then press Enter A console window opens. Click on File , then select Add/Remove Snap-in . Select certificates from the Available snap-ins list. When prompted, select the user account. Click OK to install the snap-in. Under the Console Root of the window, expand Certificates and locate the Trusted Root Certification Authority folder. Expand the Certificates folder underneath. Right-click on the folder and select All Tasks, Import. Use the resulting wizard to import the certificates in the chain of trust from the CA. Copy the certificates to the device using Text, Email, Dropbox or Safari. Unlock the iOS device. Activate the certificate by selecting it This will open the certificate in Settings under Install Profile. Select Install and enter your device passcode, if prompted. Select Install twice to confirm. From the home screen, select Settings > General > About > Certificate Trust Settings . Enable Full Trust for the installed certificate by selecting the enablement toggle. Copy the certificates to the device. Double-click on the certificate to activate The certificate will appear in Login. Change the keychain to System and import. Locate the certificate in the System category and double-click on it. Expand the Trust selection, and change When using this certificate to Always Trust. Close the window. Enter the user password when prompted. Copy the certificates to the device. Launch Firefox. Enter about:preferences#privacy in the address bar. Scroll down to locate Security , then select View Certificates. Select Authorities at the top of the dialog box. Select Import at the bottom. Browse to select the RootCA. Check Trust this CA to identify websites. Click OK twice to close the dialogs.